What is a data sharing agreement and why is it important?
You may be asking, “What is a data sharing agreement”, and “why do they matter?” Everyday, thousands of organisations across the UK share personal data with one another and other organisations overseas, be it via transmission, dissemination or otherwise making data available to one another or others. This sharing activity is characterised by the organisations involved having their own intrinsic purpose to process the data, beyond commercial gain, and control over how it is processed.
This could look like an NHS Trust sending a patient’s data to their hospital so that the hospital can provide the patient with better care, or a GP sending all the patient data it holds to a national database to aid analysts in carrying out important clinical research. It could also look like a private corporation sending its HR data to a private software-as-a-service provider that in turn uses it to boost its marketing strategy.
This article takes a look at all the things that organisations sharing personal data to, within, or from the UK need to know about data sharing agreements. These agreements, also commonly referred to as just ‘DSAs’, can take shape in other means and be called other names, such as Information Sharing Agreements, Information Sharing Protocols, Data sharing Contracts or Personal Information Sharing Agreements.
Importance of Data Sharing Agreements
Let’s start by quickly breaking down why data sharing agreements are important:
A data-sharing agreement is a document outlining the data sharing initiative of multiple parties who share personal data, defining their roles, responsibilities, and rights.
It’s essential for demonstrating accountability and compliance with data protection legislation, such as the UK GDPR.
A data-sharing agreement helps prevent data misuse and personal data breaches.
Important Facts About Data Sharing Agreements
- Data Sharing Agreements are agreements between data controllers who share personal data with each other. However, data processing agreements are for data sharing between a data controller and a data processor.
- Controllership is not determined by contract, but rather determined by fact. In other words, it doesn’t matter what the agreement states you are, if you factually determine the means and purpose of a processing activity, you are a data controller. If you factually carry out a data processing activity on the instructions of another party, you are a data processor.
- Unlike a data processing agreement, a data sharing agreement is not a legal requirement.
Benefits of Data Sharing
Despite data sharing agreements not being a legal requirement, it is a very useful good practice tool, meaning there are multiple reasons why you should have one.
It fits within your broader legal obligations
According to Article 5 of the UK GDPR and Data Protection Act 2018 – the two pieces of legislation on data protection in the UK – personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
This principle is referred to as the ‘lawfulness, fairness and transparency’ principle and is accomplished by the putting in place of a data sharing agreement as these agreements ensure that a lawful basis is established, and that all purposes of the processing are clearly defined and communicated.
Furthermore, Article 5 mandates that the controller shall be responsible for and must be able to demonstrate compliance with the principle of lawfulness, fairness and transparency. They are a great way of demonstrating the controller’s responsibility and commitment to lawful, fair and transparent processing practices, as – if drafted well – they account for all aspects of the processing.
It builds trust
Trust between an organisation and the data subjects whose data it processes is of essential importance, whether that organisation is public or private. A public organisation will need that trust in order to be able to adequately carry out its public mission, such as an NHS trust collecting the health information of its patients in an effort to administer optimised healthcare, and a private organisation will need that trust in order to build its client base, such as a clothing company collecting the email addresses of its clients to send them marketing relevant to their recent purchases.
Having a data sharing agreement in place with the organisations they share personal data with is an essential component to building that trust, allowing individuals to easily access all relevant information about the processing that the different parties have agreed between themselves, including their motives for doing so.
It is a good tool for efficiency
Beyond data protection and information governance considerations, data sharing agreements are useful on an efficiency level for establishing a clear standard and expectation with the organisations that you are sharing data with. It can also help prevent data breaches and ensure that the parties have considered the security of the shared data.
Key Components of a Data Sharing Agreement
As data-sharing agreements are not legal requirements, there is no list of mandatory items to include in one. Nonetheless, below are the elements that one should include if aiming to draft a comprehensive and complete agreement.
All aspects of the agreement should be drafted in collaboration with the other organisations involved.
Essential Elements to Include when sharing personal data
It can be difficult to know what to include in a data sharing agreement and when sharing personal data. We’ve outlined the essential elements that are often in these agreements:
- Clear definitions of data shared, purposes of data sharing, and responsibilities of parties involved.
- Provisions for data security and overall security measures to protect the data, data breach notification, and dispute resolution.
- Identify all parties involved in the data sharing, including the contact details for their data protection officer and any other senior stakeholders relevant to the data sharing. Include their roles and responsibilities.
- Describe the purpose of the data sharing initiative.
- Any other party involved in the data sharing.
- Detail what data items will be shared, including any sensitive data or special category data.
- Describe the lawful bases for data sharing, and if they differ, what each lawful basis is for each data controller (joint controller or independent controller)
- Whether any special category data or otherwise sensitive data will be shared.
- How data subjects rights will be upheld.
- What information governance arrangements will be used.
- If there is any data transfer to third countries, what is the lawful transfer mechanism and what appropriate safeguards exist to protect the personal data.
Conclusion
We hope this article has provided an initial outline for everything you need to know about Data Sharing Agreements when you share personal data to, within, or from the UK. If you have any questions or want expert support in helping you complete a data sharing agreement, check out our services or send us an enquiry at info@informationgovernanceservices.com where an data subject expert can get in touch to support you.
Frequently Asked Questions
What are the purposes of a data sharing agreement?
The purpose of a data sharing agreement is to set out the purpose of data sharing between data controllers, whether joint controllers or independent controllers. It is different to some commercial contracts as it is not a mandatory requirement. They aim to set out what happens to the personal data at each stage, setting the standards required by all parties and to be clear about their roles and responsibilities.
Ultimately, a data sharing agreement can help demonstrate accountability obligations under the UK GDPR and help avoid regulatory action and avoid non compliance with what the law requires.
Is a data sharing agreement a legal requirement?
Key to understanding why data sharing agreements are not a legal requirement is understanding what it means to data controller. As a data controller is the organisation that determines the means and purpose for a particular data processing activity, it carries the weight of the responsibility for upholding the obligations set down by the UK GDPR. This responsibility ranges from verifying that data is processed safely, ensuring that it is processed under a valid legal basis for no longer than is necessary for the purpose, to notifying data subjects in the event that a beach has occurred and liaising with the Information Commissioner’s Office.
As established in Fact #2, whether or not it recognises itself as a data controller, if an organisation has factually determined the means and processing for a particular data processing activity, the onus falls on that organisation and so will all liability towards data subjects and the regulator. It is for this reason that data sharing agreements – which are only between controllers – are not a legal obligation; the provisions of the UK GDPR are already on controllers’ shoulders.
Data Processing Agreements on the other hand (between a controller and its processor) are legally obligated. Not because they prescribe a status to one organisation (‘controller’) and a status to another (‘processor’). These statuses are not contractually prescribed (Fact #2). But because they set out a boundary.
If an organisation stays within the boundary described (the boundary being the instructions given to it by another organisation), then it is factually a processor. If it goes beyond that boundary, it is factually a controller. Having that boundary agreed to in writing in the form of a data processing agreement is essential, serving as a protection for both the processor (voiding it of absolute responsibility under the UK GDPR if it stays within its bounds) and also the controller (it will not be alone in its responsibility if the processor trespasses the boundary).
What is data sharing under the GDPR/UK GDPR?
There is no formal definition of data sharing within the legislation. The Information Commissioner’s Office Data Sharing code of practice focuses the practice of how controllers share personal data with each other and how they can achieve a robust data sharing agreement.
Data sharing cannot occur to the disclosure of data within the same organisation, it is to do with sharing data externally. The scope of the data sharing code of practice is defined by s121 of the Data Protection Act 2018, which includes “the disclosure of personal data by transmission, dissemination or otherwise making it available”.
This could include providing personal data to a third party, receiving personal data as a joint participant in a data sharing agreement, the two-way transmission of personal data and providing a third party with a way to access personal data via your IT systems.
